1. International Organization for Standardization (ISO). (2013). ISO/IEC 27001:2013 Information technology — Security techniques — Information security management systems — Requirements. Geneva, Switzerland: ISO/IEC.
Reference: Annex A, Control A.12.1.2, states the control objective is "To ensure that changes to information processing facilities and systems are controlled."
Reference: Annex A, Control A.14.2.2, "System change control procedures," further reinforces this by requiring that "Changes to systems within the development lifecycle shall be controlled by the use of formal change control procedures."
2. Humphreys, E. (2016). Implementing the ISO/IEC 27001:2013 ISMS Standard. Artech House.
Reference: Chapter 12, Section "A.12.1.2 Change management," discusses the necessity of formal change control processes for all changes to production environments, including facilities, systems, and applications, to prevent adverse impacts on security. (Note: This book is widely used as courseware in university programs on information security management).
3. von Solms, R., & von Solms, B. (2018). Cybersecurity and information security – what’s the difference? The VIRTE-Journal, 1, 1-16.
Reference: This academic journal article, in its discussion of implementing comprehensive information security frameworks like ISO 27001, emphasizes that operational controls such as change management are critical for maintaining the security posture established by the ISMS (p. 11).
